From 832ac138b0457abf163742d3ed65afaf02d93c61 Mon Sep 17 00:00:00 2001
From: Nikola Jokic <jokicnikola07@gmail.com>
Date: Mon, 19 Jan 2026 12:37:23 +0100
Subject: [PATCH] role/sa

---
 .../templates/_helpers.tpl                    | 42 +++++++++
 .../templates/manager_role_binding.yaml       | 22 +++++
 ...manager_role_binding_annotations_test.yaml | 48 ++++++++++
 .../manager_role_binding_labels_test.yaml     | 91 +++++++++++++++++++
 charts/gha-runner-scale-set-dev/values.yaml   |  6 ++
 5 files changed, 209 insertions(+)
 create mode 100644 charts/gha-runner-scale-set-dev/templates/manager_role_binding.yaml
 create mode 100644 charts/gha-runner-scale-set-dev/tests/manager_role_binding_annotations_test.yaml
 create mode 100644 charts/gha-runner-scale-set-dev/tests/manager_role_binding_labels_test.yaml

diff --git a/charts/gha-runner-scale-set-dev/templates/_helpers.tpl b/charts/gha-runner-scale-set-dev/templates/_helpers.tpl
index 555bc8c4..aeaedfcd 100644
--- a/charts/gha-runner-scale-set-dev/templates/_helpers.tpl
+++ b/charts/gha-runner-scale-set-dev/templates/_helpers.tpl
@@ -48,6 +48,48 @@ Reserved annotations are excluded from both levels.
 {{- end }}
 {{- end }}
 
+
+{{/*
+The name of the manager RoleBinding.
+
+Kept intentionally aligned with the manager Role name, mirroring the legacy
+chart behavior.
+*/}}
+{{- define "manager-role-binding.name" -}}
+{{- include "manager-role.name" . -}}
+{{- end }}
+
+
+{{/*
+Create the labels for the manager RoleBinding.
+*/}}
+{{- define "manager-role-binding.labels" -}}
+{{- $resourceLabels := dict "app.kubernetes.io/component" "manager-role-binding" -}}
+{{- $commonLabels := include "gha-common-labels" . | fromYaml -}}
+{{- $userLabels := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRoleBinding.metadata.labels | default (dict)) | fromYaml -}}
+{{- $global := include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.labels | default (dict)) | fromYaml -}}
+{{- toYaml (mergeOverwrite $global $userLabels $resourceLabels $commonLabels) }}
+{{- end }}
+
+
+{{/*
+Create the annotations for the manager RoleBinding.
+
+Order of precedence:
+1) resource.all.metadata.annotations
+2) resource.managerRoleBinding.metadata.annotations
+Reserved annotations are excluded from both levels.
+*/}}
+{{- define "manager-role-binding.annotations" -}}
+{{- $global := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.all.metadata.annotations | default (dict))) | fromYaml -}}
+{{- $resource := (include "apply-non-reserved-gha-labels-and-annotations" (.Values.resource.managerRoleBinding.metadata.annotations | default (dict))) | fromYaml -}}
+{{- $annotations := mergeOverwrite $global $resource -}}
+{{- if not (empty $annotations) -}}
+{{- toYaml $annotations }}
+{{- end }}
+{{- end }}
+
+
 {{/*
 The name of the GitHub secret used for authentication.
 */}}
diff --git a/charts/gha-runner-scale-set-dev/templates/manager_role_binding.yaml b/charts/gha-runner-scale-set-dev/templates/manager_role_binding.yaml
new file mode 100644
index 00000000..ae5e67cf
--- /dev/null
+++ b/charts/gha-runner-scale-set-dev/templates/manager_role_binding.yaml
@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "manager-role-binding.name" . | quote }}
+  namespace: {{ include "autoscaling-runner-set.namespace" . | quote }}
+  labels:
+    {{- include "manager-role-binding.labels" . | nindent 4 }}
+  annotations:
+    {{- include "manager-role-binding.annotations" . | nindent 4 }}
+  finalizers:
+    - actions.github.com/cleanup-protection
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "manager-role.name" . | quote }}
+subjects:
+  {{- if not .Values.controllerServiceAccount }}
+    {{- fail "controllerServiceAccount must be set" -}}
+  {{- end }}
+  - kind: ServiceAccount
+    name: {{ required .Values.controllerServiceAccount.name "controllerServiceAccount.name must be set" | quote }}
+    namespace: {{ required .Values.controllerServiceAccount.namespace "controllerServiceAccount.namespace must be set" | quote }}
diff --git a/charts/gha-runner-scale-set-dev/tests/manager_role_binding_annotations_test.yaml b/charts/gha-runner-scale-set-dev/tests/manager_role_binding_annotations_test.yaml
new file mode 100644
index 00000000..8a5af545
--- /dev/null
+++ b/charts/gha-runner-scale-set-dev/tests/manager_role_binding_annotations_test.yaml
@@ -0,0 +1,48 @@
+suite: "Test Manager RoleBinding Annotations"
+templates:
+  - manager_role_binding.yaml
+tests:
+  - it: should merge global and resource annotations (resource wins)
+    set:
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      resource:
+        all:
+          metadata:
+            annotations:
+              owner: "platform"
+              environment: "production"
+        managerRoleBinding:
+          metadata:
+            annotations:
+              environment: "staging"
+              team: "backend"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - equal:
+          path: metadata.annotations["owner"]
+          value: "platform"
+      - equal:
+          path: metadata.annotations["team"]
+          value: "backend"
+      - equal:
+          path: metadata.annotations["environment"]
+          value: "staging"
+
+  - it: should not allow actions.github.com/* annotations from user input
+    set:
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      resource:
+        managerRoleBinding:
+          metadata:
+            annotations:
+              actions.github.com/something: "overridden"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    asserts:
+      - notExists:
+          path: metadata.annotations["actions.github.com/something"]
diff --git a/charts/gha-runner-scale-set-dev/tests/manager_role_binding_labels_test.yaml b/charts/gha-runner-scale-set-dev/tests/manager_role_binding_labels_test.yaml
new file mode 100644
index 00000000..9734387f
--- /dev/null
+++ b/charts/gha-runner-scale-set-dev/tests/manager_role_binding_labels_test.yaml
@@ -0,0 +1,91 @@
+suite: "Test Manager RoleBinding Labels"
+templates:
+  - manager_role_binding.yaml
+tests:
+  - it: should render base labels
+    set:
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    chart:
+      appVersion: "0.14.0"
+    asserts:
+      - equal:
+          path: metadata.labels["helm.sh/chart"]
+          value: "gha-rs-0.14.0"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/instance"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/component"]
+          value: "manager-role-binding"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/managed-by"]
+          value: "Helm"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/part-of"]
+          value: "gha-rs"
+      - equal:
+          path: metadata.labels["app.kubernetes.io/version"]
+          value: "0.14.0"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-name"]
+          value: "test-name"
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-namespace"]
+          value: "test-namespace"
+
+  - it: should merge global and resource labels (resource wins)
+    set:
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      resource:
+        all:
+          metadata:
+            labels:
+              owner: "platform"
+              environment: "production"
+        managerRoleBinding:
+          metadata:
+            labels:
+              environment: "staging"
+              team: "backend"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    chart:
+      appVersion: "0.14.0"
+    asserts:
+      - equal:
+          path: metadata.labels["owner"]
+          value: "platform"
+      - equal:
+          path: metadata.labels["team"]
+          value: "backend"
+      - equal:
+          path: metadata.labels["environment"]
+          value: "staging"
+
+  - it: should not allow actions.github.com/* labels from user input
+    set:
+      controllerServiceAccount.name: "arc"
+      controllerServiceAccount.namespace: "arc-system"
+      resource:
+        managerRoleBinding:
+          metadata:
+            labels:
+              actions.github.com/scale-set-name: "overridden"
+    release:
+      name: "test-name"
+      namespace: "test-namespace"
+    chart:
+      appVersion: "0.14.0"
+    asserts:
+      - equal:
+          path: metadata.labels["actions.github.com/scale-set-name"]
+          value: "test-name"
diff --git a/charts/gha-runner-scale-set-dev/values.yaml b/charts/gha-runner-scale-set-dev/values.yaml
index efba6960..6a759220 100644
--- a/charts/gha-runner-scale-set-dev/values.yaml
+++ b/charts/gha-runner-scale-set-dev/values.yaml
@@ -109,6 +109,12 @@ resource:
       labels: {}
       annotations: {}
     extraRules: []
+
+  # Specifies metadata that will be applied to the manager RoleBinding resource
+  managerRoleBinding:
+    metadata:
+      labels: {}
+      annotations: {}
       
   # TODO: Add more resource customizations when needed